gocsaf / csaf

Tools to download or provide CSAF (Common Security Advisory Framework) documents.
https://csaf.io
41 stars 24 forks source link

Increase coverage to 75% #524

Open JanHoefelmeyer opened 9 months ago

JanHoefelmeyer commented 9 months ago

To allow for easier testing, we should evaluate the test coverage of the code, find a way to automate it and raise it to at least 75% if necessary.

s-l-teichmann commented 9 months ago
go test -coverprofile=coverage.out ./...
go tool cover -func coverage.out | awk '/total:/ {print $3}'
5.6%
tschmidtb51 commented 9 months ago

An option could also be, to provide an external repo with test case / setups and test different scenarios.

oxisto commented 7 months ago

If there is any interest in this, we put together a quick testing harness for a "mock" / test provider, which can be used in unit tests to simulate a trusted provider with different settings (so far only metadata, no "content" yet). See https://github.com/clouditor/clouditor/blob/0e197d424ef4219f5c0705b5cbdd91cf7713236f/service/discovery/extra/csaf/providertest/providertest.go

It can be used like this:

p := providertest.NewTrustedProvider(func(pmd *csaf.ProviderMetadata) {
    pmd.Publisher = &csaf.Publisher{
        Name:      util.Ref("Test Vendor"),
        Category:  util.Ref(csaf.CSAFCategoryVendor),
        Namespace: util.Ref("http://localhost"),
    }
})

loader := csaf.NewProviderMetadataLoader(p.Client())
metadata := loader.Load(p.Domain())

It uses httptest under the hood to create a local http server on a random port using a predefined TLS test certificate embedded in the Go runtime. Client() can be used to return an already configured TLS client with the necessary CA and Domain() returns the domain needed to find the PMD.

If there is any interest, I can open up a PR here and port these things upstream.

anatheka commented 7 months ago

Maybe you want for the test coverage something like codecov (see https://about.codecov.io/). Codecov is a coverage reporting solution which can be used to analyze the pull requests test coverage. It can be included in the Github workflow and comments an overview how a pull request affects the code coverage in the PR. We use it in Clouditor to ensure a minimum test coverage. You can find a codecov report example under https://github.com/clouditor/clouditor/pull/1427 or in an open PR under https://github.com/clouditor/clouditor/pulls.

oxisto commented 7 months ago

Maybe you want for the test coverage something like codecov (see https://about.codecov.io/). Codecov is a coverage reporting solution which can be used to analyze the pull requests test coverage. It can be included in the Github workflow and comments an overview how a pull request affects the code coverage in the PR. We use it in Clouditor to ensure a minimum test coverage. You can find a codecov report example under clouditor/clouditor#1427 or in an open PR under https://github.com/clouditor/clouditor/pulls.

This PR also includes an example how we are using the providertest package internally in the function Test_csafDiscovery_List https://github.com/clouditor/clouditor/blob/cec48bf310b93f4b2e3bd3771c9cd98768ee5617/service/discovery/extra/csaf/discovery_test.go#L139. We basically create a mock CSAF provider with this package and then test the expected outcome against the test provider.

bernhardreiter commented 7 months ago

This is on the backburner for us currently, as an external set suite or external libraries could potentially replace part of the product's internal testing.